I am making some progress. I have now turned to Hotspot setup.
I managed to make the hotspot work, but it also gets access to all other devices on the LAN.
So I gather I will need to set up some firewall rules to allow only Internet access
to hotspot users.
While looking at that, I noticed that
a) the Hotspot seems to create a number of dynamic hotspot rules. I gather these are only used to perform the
walled-garden access, redirecting SMTP -server-address (if configured) etc.
b) there is a chain 'unused-hs-chain' created with comment ";;; place hotspot rules here"
A few questions about that
a) I see no place where that rule is called from, so I gather that I have to take care of that myself ?
b) if I set up two separate hotspots, I only still get that one 'unused-hotspot-chain', correct?
c) I should really have separate HS chains for 'input' 'forward' and 'output'?
Ie, one chain to handle forwarding traffic from the HS to Internet and vice versa
another one for 'input', ie traffic trying to get to the hotspot address itself (or is that handled fully
by the dynamic rules)
So far I have not seen a writeup/howto that fully gets into the firewall settings required once a hotspot is configured.